Bug 2445291 (CVE-2026-29063)

Summary: CVE-2026-29063 immutable-js: Immutable.js: Arbitrary code execution via Prototype Pollution
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abarbaro, akostadi, alcohan, alizardo, amasferr, anjoseph, anpicker, anthomas, bdettelb, bparees, brasmith, cochase, dmayorov, doconnor, dranck, dschmidt, dymurray, ehelms, erezende, ewittman, fdeutsch, ggainey, gparvin, hasun, ibolton, janstey, jbalunas, jcantril, jchui, jfula, jhe, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jowilson, jprabhak, juwatts, jwong, kbempah, kshier, ktsao, lchilton, lphiri, manissin, mhulan, nboldt, nipatil, nmoumoul, nyancey, omaciel, ometelka, oramraz, osousa, pahickey, pantinor, pcreech, pgaikwad, psrna, ptisnovs, rchan, rhaigner, rjohnson, rkubis, rojacob, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, solenoci, sseago, stcannon, stirabos, syedriko, teagle, thason, tmalecek, tsedmik, ttakamiy, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Immutable.js, a library for persistent immutable data structures. This vulnerability, known as Prototype Pollution, allows an attacker with low privileges to inject unwanted properties into core JavaScript object prototypes without user interaction. By manipulating specific APIs such as mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject(), a remote attacker could potentially execute arbitrary code or cause a denial of service (DoS).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2450796, 2450799, 2450797, 2450798, 2450800, 2450801    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-06 19:01:21 UTC 
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.